--- /dev/null
+From cf6b604011591865ae39ac82de8978c1120d17af Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 6 May 2026 22:20:51 +0200
+Subject: batman-adv: bla: only purge non-released claims
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit cf6b604011591865ae39ac82de8978c1120d17af upstream.
+
+When batadv_bla_purge_claims() goes through the list of claims, it is only
+traversing the hash list with an rcu_read_lock(). Due to a potential
+parallel batadv_claim_put(), it can happen that it encounters a claim which
+was actually in the process of being released+freed by
+batadv_claim_release(). In this case, backbone_gw is set to NULL before the
+delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is
+then no longer allowed because it would cause a NULL-ptr derefence.
+
+To avoid this, only claims with a valid reference counter must be purged.
+All others are already taken care of.
+
+Cc: stable@kernel.org
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1288,6 +1288,13 @@ static void batadv_bla_purge_claims(stru
+
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(claim, head, hash_entry) {
++ /* only purge claims not currently in the process of being released.
++ * Such claims could otherwise have a NULL-ptr backbone_gw set because
++ * they already went through batadv_claim_release()
++ */
++ if (!kref_get_unless_zero(&claim->refcount))
++ continue;
++
+ backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
+ if (now)
+ goto purge_now;
+@@ -1313,6 +1320,7 @@ purge_now:
+ claim->addr, claim->vid);
+ skip:
+ batadv_backbone_gw_put(backbone_gw);
++ batadv_claim_put(claim);
+ }
+ rcu_read_unlock();
+ }
--- /dev/null
+From 4ae1709a314060a196981b344610d023ea841e57 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 6 May 2026 22:20:50 +0200
+Subject: batman-adv: bla: prevent use-after-free when deleting claims
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 4ae1709a314060a196981b344610d023ea841e57 upstream.
+
+When batadv_bla_del_backbone_claims() removes all claims for a backbone, it
+does this by dropping the link entry in the hash list. This list entry
+itself was one of the references which need to be dropped at the same time
+via batadv_claim_put().
+
+But the batadv_claim_put() must not be done before the last access to the
+claim object in this function. Otherwise the claim might be freed already
+by the batadv_claim_release() function before the list entry was dropped.
+
+Cc: stable@kernel.org
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct ba
+ if (claim->backbone_gw != backbone_gw)
+ continue;
+
+- batadv_claim_put(claim);
+ hlist_del_rcu(&claim->hash_entry);
++ batadv_claim_put(claim);
+ }
+ spin_unlock_bh(list_lock);
+ }
--- /dev/null
+From ba9d20ee9076dac32c371116bacbe72480eb356c Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 6 May 2026 22:20:52 +0200
+Subject: batman-adv: bla: put backbone reference on failed claim hash insert
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit ba9d20ee9076dac32c371116bacbe72480eb356c upstream.
+
+When batadv_bla_add_claim() fails to insert a new claim into the hash, it
+leaked a reference to the backbone_gw for which the claim was intended.
+Call batadv_backbone_gw_put() on the error path to release the reference
+and avoid leaking the backbone_gw object.
+
+Cc: stable@kernel.org
+Fixes: 3db0decf1185 ("batman-adv: Fix non-atomic bla_claim::backbone_gw access")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct
+
+ if (unlikely(hash_added != 0)) {
+ /* only local changes happened. */
++ batadv_backbone_gw_put(backbone_gw);
+ kfree(claim);
+ return;
+ }
--- /dev/null
+From 0799e5943611006b346b8813c7daf7dd5aa26bfd Mon Sep 17 00:00:00 2001
+From: Lyes Bourennani <lbourennani@fuzzinglabs.com>
+Date: Wed, 22 Apr 2026 00:20:22 +0200
+Subject: batman-adv: fix integer overflow on buff_pos
+
+From: Lyes Bourennani <lbourennani@fuzzinglabs.com>
+
+commit 0799e5943611006b346b8813c7daf7dd5aa26bfd upstream.
+
+Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size
+check is done using the int type in batadv_iv_ogm_aggr_packet whereas the
+buff_pos variable uses the s16 type. This could lead to an out-of-bound
+read.
+
+Cc: stable@vger.kernel.org
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Signed-off-by: Lyes Bourennani <lbourennani@fuzzinglabs.com>
+Signed-off-by: Alexis Pinson <apinson@fuzzinglabs.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -334,7 +334,7 @@ static void batadv_iv_ogm_send_to_if(str
+ struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+ const char *fwd_str;
+ u8 packet_num;
+- s16 buff_pos;
++ int buff_pos;
+ struct batadv_ogm_packet *batadv_ogm_packet;
+ struct sk_buff *skb;
+ u8 *packet_pos;
--- /dev/null
+From 3243543592425beec83d453793e9d27caa0d8e66 Mon Sep 17 00:00:00 2001
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+Date: Mon, 27 Apr 2026 14:43:33 +0800
+Subject: batman-adv: reject new tp_meter sessions during teardown
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+commit 3243543592425beec83d453793e9d27caa0d8e66 upstream.
+
+Prevent tp_meter from starting new sender or receiver sessions after
+mesh_state has left BATADV_MESH_ACTIVE.
+
+Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/tp_meter.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/tp_meter.c
++++ b/net/batman-adv/tp_meter.c
+@@ -947,6 +947,13 @@ void batadv_tp_start(struct batadv_priv
+
+ /* look for an already existing test towards this node */
+ spin_lock_bh(&bat_priv->tp_list_lock);
++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) {
++ spin_unlock_bh(&bat_priv->tp_list_lock);
++ batadv_tp_batctl_error_notify(BATADV_TP_REASON_DST_UNREACHABLE,
++ dst, bat_priv, session_cookie);
++ return;
++ }
++
+ tp_vars = batadv_tp_list_find(bat_priv, dst);
+ if (tp_vars) {
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+@@ -1329,9 +1336,12 @@ static struct batadv_tp_vars *
+ batadv_tp_init_recv(struct batadv_priv *bat_priv,
+ const struct batadv_icmp_tp_packet *icmp)
+ {
+- struct batadv_tp_vars *tp_vars;
++ struct batadv_tp_vars *tp_vars = NULL;
+
+ spin_lock_bh(&bat_priv->tp_list_lock);
++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
++ goto out_unlock;
++
+ tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
+ icmp->session);
+ if (tp_vars)
+@@ -1464,6 +1474,9 @@ void batadv_tp_meter_recv(struct batadv_
+ {
+ struct batadv_icmp_tp_packet *icmp;
+
++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
++ goto out;
++
+ icmp = (struct batadv_icmp_tp_packet *)skb->data;
+
+ switch (icmp->subtype) {
+@@ -1478,6 +1491,8 @@ void batadv_tp_meter_recv(struct batadv_
+ "Received unknown TP Metric packet type %u\n",
+ icmp->subtype);
+ }
++
++out:
+ consume_skb(skb);
+ }
+
--- /dev/null
+From f03e8583532941b07761c5429de7d50766fa3110 Mon Sep 17 00:00:00 2001
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+Date: Sun, 3 May 2026 12:28:58 +0800
+Subject: batman-adv: stop caching unowned originator pointers in BAT IV
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+commit f03e8583532941b07761c5429de7d50766fa3110 upstream.
+
+BAT IV keeps the last-hop neighbor address in each neigh_node, but some
+paths also cache an originator pointer derived from a temporary lookup.
+That pointer is not owned by the neigh_node and may no longer refer to a
+live originator entry after purge handling runs.
+
+Stop storing the auxiliary originator pointer in the BAT IV neighbor
+state. When BAT IV needs the neighbor originator data, resolve it from
+the stored neighbor address and drop the reference again after use.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+[sven: avoid bonding logic for outgoing OGM]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 83 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 59 insertions(+), 24 deletions(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -172,19 +172,12 @@ free_orig_node_hash:
+ static struct batadv_neigh_node *
+ batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface,
+ const u8 *neigh_addr,
+- struct batadv_orig_node *orig_node,
+- struct batadv_orig_node *orig_neigh)
++ struct batadv_orig_node *orig_node)
+ {
+ struct batadv_neigh_node *neigh_node;
+
+ neigh_node = batadv_neigh_node_get_or_create(orig_node,
+ hard_iface, neigh_addr);
+- if (!neigh_node)
+- goto out;
+-
+- neigh_node->orig_node = orig_neigh;
+-
+-out:
+ return neigh_node;
+ }
+
+@@ -901,6 +894,31 @@ static u8 batadv_iv_orig_ifinfo_sum(stru
+ }
+
+ /**
++ * batadv_iv_ogm_neigh_ifinfo_sum() - Get bcast_own sum for a last-hop neighbor
++ * @bat_priv: the bat priv with all the mesh interface information
++ * @neigh_node: last-hop neighbor of an originator
++ *
++ * Return: Number of replied (rebroadcasted) OGMs for the originator currently
++ * announced by the neighbor. Returns 0 if the neighbor's originator entry is
++ * not available anymore.
++ */
++static u8 batadv_iv_ogm_neigh_ifinfo_sum(struct batadv_priv *bat_priv,
++ const struct batadv_neigh_node *neigh_node)
++{
++ struct batadv_orig_node *orig_neigh;
++ u8 sum;
++
++ orig_neigh = batadv_orig_hash_find(bat_priv, neigh_node->addr);
++ if (!orig_neigh)
++ return 0;
++
++ sum = batadv_iv_orig_ifinfo_sum(orig_neigh, neigh_node->if_incoming);
++ batadv_orig_node_put(orig_neigh);
++
++ return sum;
++}
++
++/**
+ * batadv_iv_ogm_orig_update() - use OGM to update corresponding data in an
+ * originator
+ * @bat_priv: the bat priv with all the soft interface information
+@@ -969,17 +987,9 @@ batadv_iv_ogm_orig_update(struct batadv_
+ }
+
+ if (!neigh_node) {
+- struct batadv_orig_node *orig_tmp;
+-
+- orig_tmp = batadv_iv_ogm_orig_get(bat_priv, ethhdr->h_source);
+- if (!orig_tmp)
+- goto unlock;
+-
+ neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
+ ethhdr->h_source,
+- orig_node, orig_tmp);
+-
+- batadv_orig_node_put(orig_tmp);
++ orig_node);
+ if (!neigh_node)
+ goto unlock;
+ } else {
+@@ -1031,10 +1041,9 @@ batadv_iv_ogm_orig_update(struct batadv_
+ */
+ if (router_ifinfo &&
+ neigh_ifinfo->bat_iv.tq_avg == router_ifinfo->bat_iv.tq_avg) {
+- sum_orig = batadv_iv_orig_ifinfo_sum(router->orig_node,
+- router->if_incoming);
+- sum_neigh = batadv_iv_orig_ifinfo_sum(neigh_node->orig_node,
+- neigh_node->if_incoming);
++ sum_orig = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv, router);
++ sum_neigh = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv,
++ neigh_node);
+ if (sum_orig >= sum_neigh)
+ goto out;
+ }
+@@ -1100,7 +1109,6 @@ static bool batadv_iv_ogm_calc_tq(struct
+ if (!neigh_node)
+ neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
+ orig_neigh_node->orig,
+- orig_neigh_node,
+ orig_neigh_node);
+
+ if (!neigh_node)
+@@ -1297,6 +1305,32 @@ out:
+ }
+
+ /**
++ * batadv_orig_to_direct_router() - get direct next hop neighbor to an orig address
++ * @bat_priv: the bat priv with all the mesh interface information
++ * @orig_addr: the originator MAC address to search the best next hop router for
++ * @if_outgoing: the interface where the OGM should be sent to
++ *
++ * Return: A neighbor node which is the best router towards the given originator
++ * address. Bonding candidates are ignored.
++ */
++static struct batadv_neigh_node *
++batadv_orig_to_direct_router(struct batadv_priv *bat_priv, u8 *orig_addr,
++ struct batadv_hard_iface *if_outgoing)
++{
++ struct batadv_neigh_node *neigh_node;
++ struct batadv_orig_node *orig_node;
++
++ orig_node = batadv_orig_hash_find(bat_priv, orig_addr);
++ if (!orig_node)
++ return NULL;
++
++ neigh_node = batadv_orig_router_get(orig_node, if_outgoing);
++ batadv_orig_node_put(orig_node);
++
++ return neigh_node;
++}
++
++/**
+ * batadv_iv_ogm_process_per_outif() - process a batman iv OGM for an outgoing
+ * interface
+ * @skb: the skb containing the OGM
+@@ -1366,8 +1400,9 @@ batadv_iv_ogm_process_per_outif(const st
+
+ router = batadv_orig_router_get(orig_node, if_outgoing);
+ if (router) {
+- router_router = batadv_orig_router_get(router->orig_node,
+- if_outgoing);
++ router_router = batadv_orig_to_direct_router(bat_priv,
++ router->addr,
++ if_outgoing);
+ router_ifinfo = batadv_neigh_ifinfo_get(router, if_outgoing);
+ }
+
--- /dev/null
+From 66085e206431ef88ce36f53c1f53d570790ccc9e Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Wed, 25 Mar 2026 08:39:19 -0400
+Subject: drm/amdgpu: Add bounds checking to ib_{get,set}_value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 66085e206431ef88ce36f53c1f53d570790ccc9e upstream.
+
+The uvd/vce/vcn code accesses the IB at predefined offsets without
+checking that the IB is large enough. Check the bounds here. The caller
+is responsible for making sure it can handle arbitrary return values.
+
+Also make the idx a uint32_t to prevent overflows causing the condition
+to fail.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
+@@ -440,15 +440,18 @@ void amdgpu_debugfs_ring_init(struct amd
+
+ int amdgpu_ring_init_mqd(struct amdgpu_ring *ring);
+
+-static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, int idx)
++static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, uint32_t idx)
+ {
+- return ib->ptr[idx];
++ if (idx < ib->length_dw)
++ return ib->ptr[idx];
++ return 0;
+ }
+
+-static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, int idx,
++static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, uint32_t idx,
+ uint32_t value)
+ {
+- ib->ptr[idx] = value;
++ if (idx < ib->length_dw)
++ ib->ptr[idx] = value;
+ }
+
+ int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm,
--- /dev/null
+From 7bbfb2559bcec39d1a4e1182d931a2046112c352 Mon Sep 17 00:00:00 2001
+From: "John B. Moore" <jbmoore61@gmail.com>
+Date: Tue, 28 Apr 2026 11:35:12 -0500
+Subject: drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John B. Moore <jbmoore61@gmail.com>
+
+commit 7bbfb2559bcec39d1a4e1182d931a2046112c352 upstream.
+
+Remove the BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT) assertion from
+gfx_v9_0_ring_emit_fence_kiq(). The KIQ hardware supports 64-bit
+fence writes; the 32-bit writeback address constraint is an
+upper-layer convention, not a hardware limitation. The check serves
+no purpose and should not be present.
+
+Found by code inspection while investigating related BUG_ON
+assertions in the GFX and compute ring emission paths.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: John B. Moore <jbmoore61@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 1b1101a46a426bb4328116bb5273c326a2780389)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -5388,9 +5388,6 @@ static void gfx_v9_0_ring_emit_fence_kiq
+ {
+ struct amdgpu_device *adev = ring->adev;
+
+- /* we only allocate 32bit for each seq wb address */
+- BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT);
+-
+ /* write fence seq to the "addr" */
+ amdgpu_ring_write(ring, PACKET3(PACKET3_WRITE_DATA, 3));
+ amdgpu_ring_write(ring, (WRITE_DATA_ENGINE_SEL(0) |
--- /dev/null
+From 2a561b361b7681509710f3cfc3d95d54c87ac69f Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 27 Apr 2026 11:38:58 -0400
+Subject: drm/amdgpu/pm: add missing revision check for CI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 2a561b361b7681509710f3cfc3d95d54c87ac69f upstream.
+
+The ci_populate_all_memory_levels() workaround only
+applies to revision 0 SKUs.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
+Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
+Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
+Reviewed-by: Kent Russell <kent.russell@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 1db15ba8f72f400bbad8ae0ce24fafc43429d4bd)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+@@ -1326,8 +1326,9 @@ static int ci_populate_all_memory_levels
+
+ dev_id = adev->pdev->device;
+
+- if ((dpm_table->mclk_table.count >= 2)
+- && ((dev_id == 0x67B0) || (dev_id == 0x67B1))) {
++ if ((dpm_table->mclk_table.count >= 2) &&
++ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
++ (adev->pdev->revision == 0)) {
+ smu_data->smc_state_table.MemoryLevel[1].MinVddci =
+ smu_data->smc_state_table.MemoryLevel[0].MinVddci;
+ smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
--- /dev/null
+From 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 28 Apr 2026 10:42:49 -0400
+Subject: drm/amdgpu/pm: align Hawaii mclk workaround with radeon
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d upstream.
+
+Align the hawaii mclk workaround with radeon and windows.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
+Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
+Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
+Reviewed-by: Kent Russell <kent.russell@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 9649528b637f668c5af9f2b83ca4ad8576ae2121)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+@@ -1329,10 +1329,10 @@ static int ci_populate_all_memory_levels
+ if ((dpm_table->mclk_table.count >= 2) &&
+ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
+ (adev->pdev->revision == 0)) {
+- smu_data->smc_state_table.MemoryLevel[1].MinVddci =
+- smu_data->smc_state_table.MemoryLevel[0].MinVddci;
+- smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
+- smu_data->smc_state_table.MemoryLevel[0].MinMvdd;
++ smu_data->smc_state_table.MemoryLevel[1].MinVddc =
++ smu_data->smc_state_table.MemoryLevel[0].MinVddc;
++ smu_data->smc_state_table.MemoryLevel[1].MinVddcPhases =
++ smu_data->smc_state_table.MemoryLevel[0].MinVddcPhases;
+ }
+ smu_data->smc_state_table.MemoryLevel[0].ActivityLevel = 0x1F;
+ CONVERT_FROM_HOST_TO_SMC_US(smu_data->smc_state_table.MemoryLevel[0].ActivityLevel);
--- /dev/null
+From 78d2e624fa073c14970aa097adcf3ea31c157a66 Mon Sep 17 00:00:00 2001
+From: "John B. Moore" <jbmoore61@gmail.com>
+Date: Mon, 27 Apr 2026 16:06:28 -0500
+Subject: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John B. Moore <jbmoore61@gmail.com>
+
+commit 78d2e624fa073c14970aa097adcf3ea31c157a66 upstream.
+
+sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
+that verify fence writeback addresses are dword-aligned. These
+assertions can be reached from unprivileged userspace via crafted
+DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a
+scheduler worker thread.
+
+Replace both BUG_ON() calls with WARN_ON() to log the condition without
+crashing the kernel. A misaligned fence address at this point indicates
+a driver bug, but crashing the kernel is never the correct response when
+the assertion is reachable from userspace.
+
+The CS IOCTL path is the correct place to filter invalid submissions;
+the ring emission callback is too late to do anything about it.
+
+Fixes: 2130f89ced2c ("drm/amdgpu: add SDMA v4.0 implementation (v2)")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: John B. Moore <jbmoore61@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+@@ -841,7 +841,7 @@ static void sdma_v4_0_ring_emit_fence(st
+ /* write the fence */
+ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
+ /* zero in first two bits */
+- BUG_ON(addr & 0x3);
++ WARN_ON(addr & 0x3);
+ amdgpu_ring_write(ring, lower_32_bits(addr));
+ amdgpu_ring_write(ring, upper_32_bits(addr));
+ amdgpu_ring_write(ring, lower_32_bits(seq));
+@@ -851,7 +851,7 @@ static void sdma_v4_0_ring_emit_fence(st
+ addr += 4;
+ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
+ /* zero in first two bits */
+- BUG_ON(addr & 0x3);
++ WARN_ON(addr & 0x3);
+ amdgpu_ring_write(ring, lower_32_bits(addr));
+ amdgpu_ring_write(ring, upper_32_bits(addr));
+ amdgpu_ring_write(ring, upper_32_bits(seq));
--- /dev/null
+From de2a02cc28d6d5d37db07d00a9a684c754a5fd74 Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 30 Mar 2026 15:01:27 -0400
+Subject: drm/amdgpu/vce: Prevent partial address patches
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit de2a02cc28d6d5d37db07d00a9a684c754a5fd74 upstream.
+
+In the case that only one of lo/hi is valid, the patching could result
+in a bad address written to in FW.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+@@ -654,6 +654,9 @@ static int amdgpu_vce_cs_reloc(struct am
+ uint64_t addr;
+ int r;
+
++ if (lo >= ib->length_dw || hi >= ib->length_dw)
++ return -EINVAL;
++
+ if (index == 0xffffffff)
+ index = 0;
+
--- /dev/null
+From b193019860d61e92da395eae2011f2f6716b182f Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Tue, 24 Mar 2026 16:25:56 -0400
+Subject: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit b193019860d61e92da395eae2011f2f6716b182f upstream.
+
+Check bounds against the end of the BO whenever we access the msg.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+@@ -1789,7 +1789,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ {
+ struct ttm_operation_ctx ctx = { false, false };
+ struct amdgpu_bo_va_mapping *map;
+- uint32_t *msg, num_buffers;
++ uint32_t *msg, num_buffers, len_dw;
+ struct amdgpu_bo *bo;
+ uint64_t start, end;
+ unsigned int i;
+@@ -1810,6 +1810,11 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ return -EINVAL;
+ }
+
++ if (end - addr < 16) {
++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
++ return -EINVAL;
++ }
++
+ bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
+ amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
+ r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
+@@ -1826,8 +1831,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
+
+ msg = ptr + addr - start;
+
+- /* Check length */
+ if (msg[1] > end - addr) {
++ DRM_ERROR("VCN message header does not fit in BO!\n");
+ r = -EINVAL;
+ goto out;
+ }
+@@ -1835,7 +1840,16 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ if (msg[3] != RDECODE_MSG_CREATE)
+ goto out;
+
++ len_dw = msg[1] / 4;
+ num_buffers = msg[2];
++
++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
++ DRM_ERROR("VCN message has too many buffers!\n");
++ r = -EINVAL;
++ goto out;
++ }
++
+ for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ uint32_t offset, size, *create;
+
+@@ -1845,14 +1859,15 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ offset = msg[1];
+ size = msg[2];
+
+- if (offset + size > end) {
++ if (size < 4 || offset + size > end - addr) {
++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ r = -EINVAL;
+ goto out;
+ }
+
+ create = ptr + addr + offset - start;
+
+- /* H246, HEVC and VP9 can run on any instance */
++ /* H264, HEVC and VP9 can run on any instance */
+ if (create[0] == 0x7 || create[0] == 0x10 || create[0] == 0x11)
+ continue;
+
--- /dev/null
+From 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Wed, 25 Mar 2026 09:09:27 -0400
+Subject: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 upstream.
+
+Check bounds against the end of the BO whenever we access the msg.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1668,7 +1668,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ {
+ struct ttm_operation_ctx ctx = { false, false };
+ struct amdgpu_bo_va_mapping *map;
+- uint32_t *msg, num_buffers;
++ uint32_t *msg, num_buffers, len_dw;
+ struct amdgpu_bo *bo;
+ uint64_t start, end;
+ unsigned int i;
+@@ -1689,6 +1689,11 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ return -EINVAL;
+ }
+
++ if (end - addr < 16) {
++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
++ return -EINVAL;
++ }
++
+ bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
+ amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
+ r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
+@@ -1705,8 +1710,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
+
+ msg = ptr + addr - start;
+
+- /* Check length */
+ if (msg[1] > end - addr) {
++ DRM_ERROR("VCN message header does not fit in BO!\n");
+ r = -EINVAL;
+ goto out;
+ }
+@@ -1714,7 +1719,16 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ if (msg[3] != RDECODE_MSG_CREATE)
+ goto out;
+
++ len_dw = msg[1] / 4;
+ num_buffers = msg[2];
++
++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
++ DRM_ERROR("VCN message has too many buffers!\n");
++ r = -EINVAL;
++ goto out;
++ }
++
+ for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ uint32_t offset, size, *create;
+
+@@ -1724,7 +1738,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ offset = msg[1];
+ size = msg[2];
+
+- if (offset + size > end) {
++ if (size < 4 || offset + size > end - addr) {
++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ r = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From 2444eb0ec8283f4a3845eb7febad378476e1ba3c Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Tue, 24 Mar 2026 16:42:05 -0400
+Subject: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 2444eb0ec8283f4a3845eb7febad378476e1ba3c upstream.
+
+Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the
+bounds checks.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1755,9 +1755,10 @@ out:
+ static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib *ib, uint32_t id, int start)
+ {
+ int i;
++ uint32_t len;
+
+- for (i = start; i < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] / 4) {
+- if (ib->ptr[i + 1] == id)
++ for (i = start; (len = amdgpu_ib_get_value(ib, i)) >= 8; i += len / 4) {
++ if (amdgpu_ib_get_value(ib, i + 1) == id)
+ return i;
+ }
+ return -1;
+@@ -1768,8 +1769,6 @@ static int vcn_v4_0_ring_patch_cs_in_pla
+ struct amdgpu_ib *ib)
+ {
+ struct amdgpu_ring *ring = amdgpu_job_ring(job);
+- struct amdgpu_vcn_decode_buffer *decode_buffer;
+- uint64_t addr;
+ uint32_t val;
+ int idx = 0, sidx;
+
+@@ -1780,20 +1779,22 @@ static int vcn_v4_0_ring_patch_cs_in_pla
+ while ((idx = vcn_v4_0_enc_find_ib_param(ib, RADEON_VCN_ENGINE_INFO, idx)) >= 0) {
+ val = amdgpu_ib_get_value(ib, idx + 2); /* RADEON_VCN_ENGINE_TYPE */
+ if (val == RADEON_VCN_ENGINE_TYPE_DECODE) {
+- decode_buffer = (struct amdgpu_vcn_decode_buffer *)&ib->ptr[idx + 6];
++ uint32_t valid_buf_flag = amdgpu_ib_get_value(ib, idx + 6);
++ uint64_t msg_buffer_addr;
+
+- if (!(decode_buffer->valid_buf_flag & 0x1))
++ if (!(valid_buf_flag & 0x1))
+ return 0;
+
+- addr = ((u64)decode_buffer->msg_buffer_address_hi) << 32 |
+- decode_buffer->msg_buffer_address_lo;
+- return vcn_v4_0_dec_msg(p, job, addr);
++ msg_buffer_addr = ((u64)amdgpu_ib_get_value(ib, idx + 7)) << 32 |
++ amdgpu_ib_get_value(ib, idx + 8);
++ return vcn_v4_0_dec_msg(p, job, msg_buffer_addr);
+ } else if (val == RADEON_VCN_ENGINE_TYPE_ENCODE) {
+ sidx = vcn_v4_0_enc_find_ib_param(ib, RENCODE_IB_PARAM_SESSION_INIT, idx);
+- if (sidx >= 0 && ib->ptr[sidx + 2] == RENCODE_ENCODE_STANDARD_AV1)
++ if (sidx >= 0 &&
++ amdgpu_ib_get_value(ib, sidx + 2) == RENCODE_ENCODE_STANDARD_AV1)
+ return vcn_v4_0_limit_sched(p, job);
+ }
+- idx += ib->ptr[idx] / 4;
++ idx += amdgpu_ib_get_value(ib, idx) / 4;
+ }
+ return 0;
+ }
--- /dev/null
+From e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 Mon Sep 17 00:00:00 2001
+From: Philip Yang <Philip.Yang@amd.com>
+Date: Mon, 27 Apr 2026 09:30:23 -0400
+Subject: drm/amdgpu: zero-initialize GART table on allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philip Yang <Philip.Yang@amd.com>
+
+commit e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 upstream.
+
+GART TLB is flushed after unmapping but not after mapping. Since
+amdgpu_bo_create_kernel() does not zero-initialize the buffer, when a
+single PTE is written the TLB may speculatively load other uninitialized
+entries from the same cacheline. Those garbage entries can appear valid,
+and a subsequent write to another PTE in the same cacheline may cause the
+GPU to use a stale garbage PTE from the TLB.
+
+Fix this by calling memset_io() to zero-initialize the GART table with
+gart_pte_flags immediately after allocation.
+
+Using AMDGPU_GEM_CREATE_VRAM_CLEARED, SDMA-based clear will not work
+since SDMA needs GART to be initialized to work.
+
+Suggested-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Philip Yang <Philip.Yang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit d9af8263b82b6eaa60c5718e0c6631c5037e4b24)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
+@@ -252,12 +252,19 @@ void amdgpu_gart_table_ram_free(struct a
+ */
+ int amdgpu_gart_table_vram_alloc(struct amdgpu_device *adev)
+ {
++ int r;
++
+ if (adev->gart.bo != NULL)
+ return 0;
+
+- return amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
+- AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
+- NULL, (void *)&adev->gart.ptr);
++ r = amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
++ AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
++ NULL, (void *)&adev->gart.ptr);
++ if (r)
++ return r;
++
++ memset_io(adev->gart.ptr, adev->gart.gart_pte_flags, adev->gart.table_size);
++ return 0;
+ }
+
+ /**
--- /dev/null
+From 74b73fa56a395d46745e4f245225963e9f8be7f1 Mon Sep 17 00:00:00 2001
+From: Alysa Liu <Alysa.Liu@amd.com>
+Date: Mon, 30 Mar 2026 10:50:07 -0400
+Subject: drm/amdkfd: Add upper bound check for num_of_nodes
+
+From: Alysa Liu <Alysa.Liu@amd.com>
+
+commit 74b73fa56a395d46745e4f245225963e9f8be7f1 upstream.
+
+drm/amdkfd: Add upper bound check for num_of_nodes
+in kfd_ioctl_get_process_apertures_new.
+
+Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 98ff46a5ea090c14d2cdb4f5b993b05d74f3949f)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +++
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 1 +
+ drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 11 +++++++++++
+ 3 files changed, 15 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -784,6 +784,9 @@ static int kfd_ioctl_get_process_apertur
+ goto out_unlock;
+ }
+
++ if (args->num_of_nodes > kfd_topology_get_num_devices())
++ return -EINVAL;
++
+ /* Fill in process-aperture information for all available
+ * nodes, but not more than args->num_of_nodes as that is
+ * the amount of memory allocated by user
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -1145,6 +1145,7 @@ static inline struct kfd_node *kfd_node_
+ return NULL;
+ }
+ int kfd_topology_enum_kfd_devices(uint8_t idx, struct kfd_node **kdev);
++uint32_t kfd_topology_get_num_devices(void);
+ int kfd_numa_node_to_apic_id(int numa_node_id);
+
+ /* Interrupts */
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
+@@ -2177,6 +2177,17 @@ int kfd_topology_remove_device(struct kf
+ return res;
+ }
+
++uint32_t kfd_topology_get_num_devices(void)
++{
++ uint32_t num_devices;
++
++ down_read(&topology_lock);
++ num_devices = sys_props.num_devices;
++ up_read(&topology_lock);
++
++ return num_devices;
++}
++
+ /* kfd_topology_enum_kfd_devices - Enumerate through all devices in KFD
+ * topology. If GPU device is found @idx, then valid kfd_dev pointer is
+ * returned through @kdev
--- /dev/null
+From ad52d61d82181dbdb7f05826de38352d5e550cc2 Mon Sep 17 00:00:00 2001
+From: Amir Shetaia <Amir.Shetaia@amd.com>
+Date: Fri, 10 Apr 2026 10:38:13 -0400
+Subject: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amir Shetaia <Amir.Shetaia@amd.com>
+
+commit ad52d61d82181dbdb7f05826de38352d5e550cc2 upstream.
+
+KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE
+but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated
+VRAM with stale data from prior use observable by compute kernels.
+
+The GEM ioctl path already sets VRAM_CLEARED for all userspace
+allocations via amdgpu_gem_create_ioctl() and
+amdgpu_mode_dumb_create(). The KFD path was missing this flag,
+allowing stale page table remnants to leak into user buffers.
+
+This causes crashes in RCCL P2P transport where non-zero data in
+ptrExchange/head/tail fields corrupts the protocol handshake.
+
+Signed-off-by: Amir Shetaia <Amir.Shetaia@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -1665,7 +1665,8 @@ int amdgpu_amdkfd_gpuvm_alloc_memory_of_
+ alloc_domain = AMDGPU_GEM_DOMAIN_GTT;
+ alloc_flags = 0;
+ } else {
+- alloc_flags = AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE;
++ alloc_flags = AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE |
++ AMDGPU_GEM_CREATE_VRAM_CLEARED;
+ alloc_flags |= (flags & KFD_IOC_ALLOC_MEM_FLAGS_PUBLIC) ?
+ AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED : 0;
+ }
--- /dev/null
+From 045e0ff208f0838a246c10204105126611b267a1 Mon Sep 17 00:00:00 2001
+From: Alysa Liu <Alysa.Liu@amd.com>
+Date: Tue, 21 Apr 2026 10:18:28 -0400
+Subject: drm/amdkfd: validate SVM ioctl nattr against buffer size
+
+From: Alysa Liu <Alysa.Liu@amd.com>
+
+commit 045e0ff208f0838a246c10204105126611b267a1 upstream.
+
+Validate nattr field against the buffer size, preventing
+out-of-bounds buffer access via user-controlled attribute count.
+
+Reviewed-by: Amir Shetaia <Amir.Shetaia@amd.com>
+Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 26 ++++++++++++++++++++++++--
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 3 +++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -26,6 +26,7 @@
+ #include <linux/err.h>
+ #include <linux/fs.h>
+ #include <linux/file.h>
++#include <linux/overflow.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/uaccess.h>
+@@ -1705,6 +1706,16 @@ static int kfd_ioctl_smi_events(struct f
+ return kfd_smi_event_open(pdd->dev, &args->anon_fd);
+ }
+
++static int kfd_ioctl_svm_validate(void *kdata, unsigned int usize)
++{
++ struct kfd_ioctl_svm_args *args = kdata;
++ size_t expected = struct_size(args, attrs, args->nattr);
++
++ if (expected == SIZE_MAX || usize < expected)
++ return -EINVAL;
++ return 0;
++}
++
+ #if IS_ENABLED(CONFIG_HSA_AMD_SVM)
+
+ static int kfd_ioctl_set_xnack_mode(struct file *filep,
+@@ -3128,7 +3139,11 @@ out:
+
+ #define AMDKFD_IOCTL_DEF(ioctl, _func, _flags) \
+ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
+- .cmd_drv = 0, .name = #ioctl}
++ .validate = NULL, .cmd_drv = 0, .name = #ioctl}
++
++#define AMDKFD_IOCTL_DEF_V(ioctl, _func, _validate, _flags) \
++ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
++ .validate = _validate, .cmd_drv = 0, .name = #ioctl}
+
+ /** Ioctl table */
+ static const struct amdkfd_ioctl_desc amdkfd_ioctls[] = {
+@@ -3225,7 +3240,8 @@ static const struct amdkfd_ioctl_desc am
+ AMDKFD_IOCTL_DEF(AMDKFD_IOC_SMI_EVENTS,
+ kfd_ioctl_smi_events, 0),
+
+- AMDKFD_IOCTL_DEF(AMDKFD_IOC_SVM, kfd_ioctl_svm, 0),
++ AMDKFD_IOCTL_DEF_V(AMDKFD_IOC_SVM, kfd_ioctl_svm,
++ kfd_ioctl_svm_validate, 0),
+
+ AMDKFD_IOCTL_DEF(AMDKFD_IOC_SET_XNACK_MODE,
+ kfd_ioctl_set_xnack_mode, 0),
+@@ -3347,6 +3363,12 @@ static long kfd_ioctl(struct file *filep
+ memset(kdata, 0, usize);
+ }
+
++ if (ioctl->validate) {
++ retcode = ioctl->validate(kdata, usize);
++ if (retcode)
++ goto err_i1;
++ }
++
+ retcode = func(filep, process, kdata);
+
+ if (cmd & IOC_OUT)
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -1006,10 +1006,13 @@ extern struct srcu_struct kfd_processes_
+ typedef int amdkfd_ioctl_t(struct file *filep, struct kfd_process *p,
+ void *data);
+
++typedef int amdkfd_ioctl_validate_t(void *kdata, unsigned int usize);
++
+ struct amdkfd_ioctl_desc {
+ unsigned int cmd;
+ int flags;
+ amdkfd_ioctl_t *func;
++ amdkfd_ioctl_validate_t *validate;
+ unsigned int cmd_drv;
+ const char *name;
+ };
--- /dev/null
+From 3d4c2268bd7243c3780fe32bf24ff876da272acf Mon Sep 17 00:00:00 2001
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Date: Mon, 20 Apr 2026 01:36:37 +0000
+Subject: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
+
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+
+commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream.
+
+drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
+using plain integer division:
+
+ unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
+ unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
+
+However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses
+drm_format_info_plane_width/height() which round up dimensions via
+DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object
+size check for certain pixel format and dimension combinations.
+
+For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the
+GEM size validation path sees height=0 instead of height=1. The
+expression (height - 1) then wraps to UINT_MAX as an unsigned int,
+causing min_size to overflow and wrap back to a small value. A tiny
+GEM object therefore passes the size guard, yet when the GPU accesses
+the chroma plane it will read or write memory beyond the object's
+bounds.
+
+Fix by replacing the open-coded divisions with drm_format_info_plane_width()
+and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match
+the calculation already used in framebuffer_check().
+
+Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library")
+Cc: stable@vger.kernel.org # v4.14+
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c
++++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
+@@ -174,8 +174,8 @@ int drm_gem_fb_init_with_funcs(struct dr
+ }
+
+ for (i = 0; i < info->num_planes; i++) {
+- unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
+- unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
++ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i);
++ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i);
+ unsigned int min_size;
+
+ objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]);
--- /dev/null
+From 17223816498f7b117d138d18eb0eba63604dc74e Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 27 Apr 2026 11:40:25 -0400
+Subject: drm/radeon: add missing revision check for CI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 17223816498f7b117d138d18eb0eba63604dc74e upstream.
+
+The memory level workarounds only apply to revision 0 SKUs.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
+Fixes: 127e056e2a82 ("drm/radeon: fix mclk vddc configuration for cards for hawaii")
+Fixes: 21b8a369046f ("drm/radeon: fix dram timing for certain hawaii boards")
+Fixes: 90b2fee35cb9 ("drm/radeon: fix dpm mc init for certain hawaii boards")
+Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
+Reviewed-by: Kent Russell <kent.russell@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 4d8dcc14311515077062b5740f39f427075de5c9)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/ci_dpm.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/ci_dpm.c
++++ b/drivers/gpu/drm/radeon/ci_dpm.c
+@@ -2466,7 +2466,8 @@ static void ci_register_patching_mc_arb(
+
+ if (patch &&
+ ((rdev->pdev->device == 0x67B0) ||
+- (rdev->pdev->device == 0x67B1))) {
++ (rdev->pdev->device == 0x67B1)) &&
++ (rdev->pdev->revision == 0)) {
+ if ((memory_clock > 100000) && (memory_clock <= 125000)) {
+ tmp2 = (((0x31 * engine_clock) / 125000) - 1) & 0xff;
+ *dram_timimg2 &= ~0x00ff0000;
+@@ -3307,7 +3308,8 @@ static int ci_populate_all_memory_levels
+ pi->smc_state_table.MemoryLevel[0].EnabledForActivity = 1;
+
+ if ((dpm_table->mclk_table.count >= 2) &&
+- ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1))) {
++ ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1)) &&
++ (rdev->pdev->revision == 0)) {
+ pi->smc_state_table.MemoryLevel[1].MinVddc =
+ pi->smc_state_table.MemoryLevel[0].MinVddc;
+ pi->smc_state_table.MemoryLevel[1].MinVddcPhases =
+@@ -4504,7 +4506,8 @@ static int ci_register_patching_mc_seq(s
+
+ if (patch &&
+ ((rdev->pdev->device == 0x67B0) ||
+- (rdev->pdev->device == 0x67B1))) {
++ (rdev->pdev->device == 0x67B1)) &&
++ (rdev->pdev->revision == 0)) {
+ for (i = 0; i < table->last; i++) {
+ if (table->last >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
--- /dev/null
+From abb5f36771cc4c05899b34000829a787572a8817 Mon Sep 17 00:00:00 2001
+From: Ben Morris <bmorris@anthropic.com>
+Date: Thu, 7 May 2026 17:14:55 -0700
+Subject: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
+
+From: Ben Morris <bmorris@anthropic.com>
+
+commit abb5f36771cc4c05899b34000829a787572a8817 upstream.
+
+The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
+list_for_each_entry_safe(), which caches the next entry in @tmp before
+the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
+drop the socket lock inside sctp_wait_for_sndbuf().
+
+While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
+association cached in @tmp, migrating it to a new endpoint via
+sctp_sock_migrate() (list_del_init() + list_add_tail() to
+newep->asocs), and optionally close the new socket which frees the
+association via kfree_rcu(). The cached @tmp can also be freed by a
+network ABORT for that association, processed in softirq while the
+lock is dropped.
+
+sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
+via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
+revalidates @tmp. After a successful return, the iterator advances to
+the stale @tmp, yielding either a use-after-free (if the peeled socket
+was closed) or a list-walk onto the new endpoint's list head (type
+confusion of &newep->asocs as a struct sctp_association *).
+
+Both are reachable from CapEff=0; the type-confusion path gives
+controlled indirect call via the outqueue.sched->init_sid pointer.
+
+Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
+returns. @asoc is known to still be on ep->asocs at that point: the
+only callers that list_del an association from ep->asocs are
+sctp_association_free() (which sets asoc->base.dead) and
+sctp_assoc_migrate() (which changes asoc->base.sk), and
+sctp_wait_for_sndbuf() checks both under the lock before any
+successful return; a tripped check propagates as err < 0 and the loop
+bails before the re-derive.
+
+The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
+loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
+the @tmp cached by list_for_each_entry_safe() still covers the
+lock-held free that ba59fb027307 ("sctp: walk the list of asoc
+safely") was added for.
+
+Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Morris <bmorris@anthropic.com>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1985,6 +1985,15 @@ static int sctp_sendmsg(struct sock *sk,
+ goto out_unlock;
+
+ iov_iter_revert(&msg->msg_iter, err);
++
++ /* sctp_sendmsg_to_asoc() may have released the socket
++ * lock (sctp_wait_for_sndbuf), during which other
++ * associations on ep->asocs could have been peeled
++ * off or freed. @asoc itself is revalidated by the
++ * base.dead and base.sk checks in sctp_wait_for_sndbuf,
++ * so re-derive the cached cursor from it.
++ */
++ tmp = list_next_entry(asoc, asocs);
+ }
+
+ goto out_unlock;
spi-fsl-espi-fix-controller-deregistration.patch
spi-omap2-mcspi-fix-controller-deregistration.patch
spi-mtk-nor-fix-controller-deregistration.patch
+spi-sh-hspi-fix-controller-deregistration.patch
+spi-fsl-fix-controller-deregistration.patch
+spi-bcmbca-hsspi-fix-controller-deregistration.patch
+spi-coldfire-qspi-fix-controller-deregistration.patch
+spi-sprd-fix-controller-deregistration.patch
+spi-rspi-fix-controller-deregistration.patch
+spi-img-spfi-fix-controller-deregistration.patch
+spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch
+spi-orion-fix-runtime-pm-leak-on-unbind.patch
+spi-orion-fix-clock-imbalance-on-registration-failure.patch
+spi-mpc52xx-fix-use-after-free-on-unbind.patch
+spi-cadence-fix-controller-deregistration.patch
+spi-cadence-fix-unclocked-access-on-unbind.patch
+drm-amdkfd-clear-vram-on-allocation-to-prevent-stale-data-exposure.patch
+drm-amdkfd-add-upper-bound-check-for-num_of_nodes.patch
+drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch
+drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-ib.patch
+drm-amdgpu-vce-prevent-partial-address-patches.patch
+drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch
+drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch
+drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch
+drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch
+drm-radeon-add-missing-revision-check-for-ci.patch
+drm-amdgpu-zero-initialize-gart-table-on-allocation.patch
+drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch
+drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch
+drm-amdgpu-pm-add-missing-revision-check-for-ci.patch
+drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch
+sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch
+batman-adv-fix-integer-overflow-on-buff_pos.patch
+batman-adv-reject-new-tp_meter-sessions-during-teardown.patch
+batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch
+batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch
+batman-adv-bla-only-purge-non-released-claims.patch
+batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch
--- /dev/null
+From c3d97c3320b9a1ebbd6119857341be034f7b3efc Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Apr 2026 14:04:06 +0200
+Subject: spi: bcmbca-hsspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c3d97c3320b9a1ebbd6119857341be034f7b3efc upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like interrupts during driver unbind to allow SPI drivers to
+do I/O during deregistration.
+
+Note that clocks were also disabled before the recent commit
+e532e21a246d ("spi: bcm63xx-hsspi: Simplify clock handling with
+devm_clk_get_enabled()").
+
+Fixes: a38a2233f23b ("spi: bcmbca-hsspi: Add driver for newer HSSPI controller")
+Cc: stable@vger.kernel.org # 6.3: deb269e0394f
+Cc: stable@vger.kernel.org # 6.3
+Cc: William Zhang <william.zhang@broadcom.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260409120419.388546-8-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcmbca-hsspi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-bcmbca-hsspi.c
++++ b/drivers/spi/spi-bcmbca-hsspi.c
+@@ -557,7 +557,7 @@ static int bcmbca_hsspi_probe(struct pla
+ }
+
+ /* register and we are done */
+- ret = devm_spi_register_controller(dev, host);
++ ret = spi_register_controller(host);
+ if (ret)
+ goto out_sysgroup_disable;
+
+@@ -581,6 +581,8 @@ static void bcmbca_hsspi_remove(struct p
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct bcmbca_hsspi *bs = spi_controller_get_devdata(host);
+
++ spi_unregister_controller(host);
++
+ /* reset the hardware and block queue progress */
+ __raw_writel(0, bs->regs + HSSPI_INT_MASK_REG);
+ clk_disable_unprepare(bs->pll_clk);
--- /dev/null
+From 666fa7e9ca98e71c880086ca24147ae843f1ed6e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Apr 2026 15:43:12 +0200
+Subject: spi: cadence: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 666fa7e9ca98e71c880086ca24147ae843f1ed6e upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: c474b3866546 ("spi: Add driver for Cadence SPI controller")
+Cc: stable@vger.kernel.org # 3.16
+Cc: Harini Katakam <harinik@xilinx.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260414134319.978196-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -686,6 +686,10 @@ static void cdns_spi_remove(struct platf
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct cdns_spi *xspi = spi_controller_get_devdata(ctlr);
+
++ spi_controller_get(ctlr);
++
++ spi_unregister_controller(ctlr);
++
+ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
+
+ if (!spi_controller_is_target(ctlr)) {
+@@ -693,7 +697,7 @@ static void cdns_spi_remove(struct platf
+ pm_runtime_set_suspended(&pdev->dev);
+ }
+
+- spi_unregister_controller(ctlr);
++ spi_controller_put(ctlr);
+ }
+
+ /**
--- /dev/null
+From 5b1689a41f02955c5361944f748a4812a6ff9307 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 14:36:12 +0200
+Subject: spi: cadence: fix unclocked access on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5b1689a41f02955c5361944f748a4812a6ff9307 upstream.
+
+Make sure that the controller is runtime resumed before disabling it
+during driver unbind to avoid unclocked register access and unbalanced
+clock disable.
+
+Also restore the autosuspend setting.
+
+This issue was flagged by Sashiko when reviewing a controller
+deregistration fix.
+
+Fixes: d36ccd9f7ea4 ("spi: cadence: Runtime pm adaptation")
+Cc: stable@vger.kernel.org # 4.7
+Cc: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=1
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421123615.1533617-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -685,16 +685,23 @@ static void cdns_spi_remove(struct platf
+ {
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct cdns_spi *xspi = spi_controller_get_devdata(ctlr);
++ int ret = 0;
++
++ if (!spi_controller_is_target(ctlr))
++ ret = pm_runtime_get_sync(&pdev->dev);
+
+ spi_controller_get(ctlr);
+
+ spi_unregister_controller(ctlr);
+
+- cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
++ if (ret >= 0)
++ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
+
+ if (!spi_controller_is_target(ctlr)) {
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ }
+
+ spi_controller_put(ctlr);
--- /dev/null
+From e7c510e192ff2a1264d999575eea39a506424264 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Apr 2026 14:04:09 +0200
+Subject: spi: coldfire-qspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e7c510e192ff2a1264d999575eea39a506424264 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks (via runtime pm) during driver unbind.
+
+Fixes: 34b8c6617366 ("spi: Add Freescale/Motorola Coldfire QSPI driver")
+Cc: stable@vger.kernel.org # 2.6.34
+Cc: Steven King <sfking@fdwdc.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260409120419.388546-11-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-coldfire-qspi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-coldfire-qspi.c
++++ b/drivers/spi/spi-coldfire-qspi.c
+@@ -410,9 +410,9 @@ static int mcfqspi_probe(struct platform
+ platform_set_drvdata(pdev, host);
+ pm_runtime_enable(&pdev->dev);
+
+- status = devm_spi_register_controller(&pdev->dev, host);
++ status = spi_register_controller(host);
+ if (status) {
+- dev_dbg(&pdev->dev, "devm_spi_register_controller failed\n");
++ dev_dbg(&pdev->dev, "failed to register controller\n");
+ goto fail1;
+ }
+
+@@ -436,11 +436,17 @@ static void mcfqspi_remove(struct platfo
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct mcfqspi *mcfqspi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ pm_runtime_disable(&pdev->dev);
+ /* disable the hardware (set the baud rate to 0) */
+ mcfqspi_wr_qmr(mcfqspi, MCFQSPI_QMR_MSTR);
+
+ mcfqspi_cs_teardown(mcfqspi);
++
++ spi_controller_put(host);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
--- /dev/null
+From 9b7abfed4c3754062d1f3ffd452e65a38667f586 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 08:47:49 +0200
+Subject: spi: fsl: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9b7abfed4c3754062d1f3ffd452e65a38667f586 upstream.
+
+Make sure to deregister the controller before releasing underlying
+resources like DMA during driver unbind.
+
+Fixes: 4178b6b1b595 ("spi: fsl-(e)spi: migrate to using devm_ functions to simplify cleanup")
+Cc: stable@vger.kernel.org # 4.3
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410064749.496888-1-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-fsl-spi.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-fsl-spi.c
++++ b/drivers/spi/spi-fsl-spi.c
+@@ -615,7 +615,7 @@ static struct spi_controller *fsl_spi_pr
+
+ mpc8xxx_spi_write_reg(®_base->mode, regval);
+
+- ret = devm_spi_register_controller(dev, host);
++ ret = spi_register_controller(host);
+ if (ret < 0)
+ goto err_probe;
+
+@@ -706,7 +706,13 @@ static void of_fsl_spi_remove(struct pla
+ struct spi_controller *host = platform_get_drvdata(ofdev);
+ struct mpc8xxx_spi *mpc8xxx_spi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ fsl_spi_cpm_free(mpc8xxx_spi);
++
++ spi_controller_put(host);
+ }
+
+ static struct platform_driver of_fsl_spi_driver = {
+@@ -752,7 +758,13 @@ static void plat_mpc8xxx_spi_remove(stru
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct mpc8xxx_spi *mpc8xxx_spi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ fsl_spi_cpm_free(mpc8xxx_spi);
++
++ spi_controller_put(host);
+ }
+
+ MODULE_ALIAS("platform:mpc8xxx_spi");
--- /dev/null
+From fc3a83b0d9c16b941c9028f5a8db9541dce4ddf2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Apr 2026 14:04:14 +0200
+Subject: spi: img-spfi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit fc3a83b0d9c16b941c9028f5a8db9541dce4ddf2 upstream.
+
+Make sure to deregister the controller before disabling and releasing
+underlying resources like clocks and DMA during driver unbind.
+
+Fixes: deba25800a12 ("spi: Add driver for IMG SPFI controller")
+Cc: stable@vger.kernel.org # 3.19
+Cc: Andrew Bresticker <abrestic@chromium.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260409120419.388546-16-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-img-spfi.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-img-spfi.c
++++ b/drivers/spi/spi-img-spfi.c
+@@ -644,7 +644,7 @@ static int img_spfi_probe(struct platfor
+ pm_runtime_set_active(spfi->dev);
+ pm_runtime_enable(spfi->dev);
+
+- ret = devm_spi_register_controller(spfi->dev, host);
++ ret = spi_register_controller(host);
+ if (ret)
+ goto disable_pm;
+
+@@ -670,6 +670,10 @@ static void img_spfi_remove(struct platf
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct img_spfi *spfi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ if (spfi->tx_ch)
+ dma_release_channel(spfi->tx_ch);
+ if (spfi->rx_ch)
+@@ -680,6 +684,8 @@ static void img_spfi_remove(struct platf
+ clk_disable_unprepare(spfi->spfi_clk);
+ clk_disable_unprepare(spfi->sys_clk);
+ }
++
++ spi_controller_put(host);
+ }
+
+ #ifdef CONFIG_PM
--- /dev/null
+From a1d50a37d3b1df84f536a982f692371039df4a48 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 14:56:32 +0200
+Subject: spi: imx: fix runtime pm leak on probe deferral
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a1d50a37d3b1df84f536a982f692371039df4a48 upstream.
+
+Make sure to balance the runtime PM usage count before returning on
+probe failure (e.g. probe deferral) so that the controller can be
+suspended when a driver is later bound.
+
+Fixes: 43b6bf406cd0 ("spi: imx: fix runtime pm support for !CONFIG_PM")
+Cc: stable@vger.kernel.org # 5.10
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421125632.1537235-1-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-imx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1881,6 +1881,7 @@ out_register_controller:
+ out_runtime_pm_put:
+ pm_runtime_dont_use_autosuspend(spi_imx->dev);
+ pm_runtime_disable(spi_imx->dev);
++ pm_runtime_put_noidle(spi_imx->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+
+ clk_disable_unprepare(spi_imx->clk_ipg);
--- /dev/null
+From 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Apr 2026 15:43:15 +0200
+Subject: spi: mpc52xx: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 upstream.
+
+The state machine work is scheduled by the interrupt handler and
+therefore needs to be cancelled after disabling interrupts to avoid a
+potential use-after-free.
+
+Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove")
+Cc: stable@vger.kernel.org
+Cc: Pei Xiao <xiaopei01@kylinos.cn>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-mpc52xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-mpc52xx.c
++++ b/drivers/spi/spi-mpc52xx.c
+@@ -519,10 +519,11 @@ static void mpc52xx_spi_remove(struct pl
+ struct mpc52xx_spi *ms = spi_master_get_devdata(master);
+ int i;
+
+- cancel_work_sync(&ms->work);
+ free_irq(ms->irq0, ms);
+ free_irq(ms->irq1, ms);
+
++ cancel_work_sync(&ms->work);
++
+ for (i = 0; i < ms->gpio_cs_count; i++)
+ gpiod_put(ms->gpio_cs[i]);
+
--- /dev/null
+From 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 15:02:10 +0200
+Subject: spi: orion: fix clock imbalance on registration failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 upstream.
+
+Make sure that the controller is not runtime suspended before disabling
+clocks on probe failure.
+
+Also restore the autosuspend setting.
+
+Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support")
+Cc: stable@vger.kernel.org # 3.17
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421130211.1537628-3-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-orion.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/spi/spi-orion.c
++++ b/drivers/spi/spi-orion.c
+@@ -778,6 +778,7 @@ static int orion_spi_probe(struct platfo
+ pm_runtime_set_active(&pdev->dev);
+ pm_runtime_use_autosuspend(&pdev->dev);
+ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
++ pm_runtime_get_noresume(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+
+ status = orion_spi_reset(spi);
+@@ -789,10 +790,15 @@ static int orion_spi_probe(struct platfo
+ if (status < 0)
+ goto out_rel_pm;
+
++ pm_runtime_put_autosuspend(&pdev->dev);
++
+ return status;
+
+ out_rel_pm:
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_set_suspended(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ out_rel_axi_clk:
+ clk_disable_unprepare(spi->axi_clk);
+ out_rel_clk:
--- /dev/null
+From 97b17dd8266d2e26d9ee3c75a0fa34ecde6944f0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 15:02:09 +0200
+Subject: spi: orion: fix runtime pm leak on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 97b17dd8266d2e26d9ee3c75a0fa34ecde6944f0 upstream.
+
+Make sure to balance the runtime PM usage count on driver unbind so that
+the controller can be suspended when a driver is rebound.
+
+Also restore the autosuspend setting.
+
+This issue was flagged by Sashiko when reviewing a controller
+deregistration fix.
+
+Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support")
+Cc: stable@vger.kernel.org # 3.17
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=6
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421130211.1537628-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-orion.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/spi/spi-orion.c
++++ b/drivers/spi/spi-orion.c
+@@ -814,6 +814,9 @@ static void orion_spi_remove(struct plat
+
+ spi_unregister_controller(host);
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_set_suspended(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ }
+
+ MODULE_ALIAS("platform:" DRIVER_NAME);
--- /dev/null
+From 9944fa6726afb1e6eb7e2212764e7da0c97f2dcc Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:40 +0200
+Subject: spi: rspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9944fa6726afb1e6eb7e2212764e7da0c97f2dcc upstream.
+
+Make sure to deregister the controller before releasing underlying
+resources like DMA during driver unbind.
+
+Fixes: 9e03d05eee4c ("spi: rcar: Use devm_spi_register_master()")
+Cc: stable@vger.kernel.org # 3.14
+Cc: Jingoo Han <jg1.han@samsung.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-11-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-rspi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -1176,8 +1176,14 @@ static void rspi_remove(struct platform_
+ {
+ struct rspi_data *rspi = platform_get_drvdata(pdev);
+
++ spi_controller_get(rspi->ctlr);
++
++ spi_unregister_controller(rspi->ctlr);
++
+ rspi_release_dma(rspi->ctlr);
+ pm_runtime_disable(&pdev->dev);
++
++ spi_controller_put(rspi->ctlr);
+ }
+
+ static const struct spi_ops rspi_ops = {
+@@ -1387,9 +1393,9 @@ static int rspi_probe(struct platform_de
+ if (ret < 0)
+ dev_warn(&pdev->dev, "DMA not available, using PIO\n");
+
+- ret = devm_spi_register_controller(&pdev->dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ if (ret < 0) {
+- dev_err(&pdev->dev, "devm_spi_register_controller error.\n");
++ dev_err(&pdev->dev, "failed to register controller\n");
+ goto error3;
+ }
+
--- /dev/null
+From e63982e6392e45a6ecd68d6c317a081cc8e70143 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:42 +0200
+Subject: spi: sh-hspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e63982e6392e45a6ecd68d6c317a081cc8e70143 upstream.
+
+Make sure to deregister the controller before releasing underlying
+resources like clocks during driver unbind.
+
+Fixes: 49e599b8595f ("spi: sh-hspi: control spi clock more correctly")
+Cc: stable@vger.kernel.org # 3.4
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-13-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sh-hspi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-sh-hspi.c
++++ b/drivers/spi/spi-sh-hspi.c
+@@ -258,9 +258,9 @@ static int hspi_probe(struct platform_de
+ ctlr->transfer_one_message = hspi_transfer_one_message;
+ ctlr->bits_per_word_mask = SPI_BPW_MASK(8);
+
+- ret = devm_spi_register_controller(&pdev->dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ if (ret < 0) {
+- dev_err(&pdev->dev, "devm_spi_register_controller error.\n");
++ dev_err(&pdev->dev, "failed to register controller\n");
+ goto error2;
+ }
+
+@@ -280,9 +280,15 @@ static void hspi_remove(struct platform_
+ {
+ struct hspi_priv *hspi = platform_get_drvdata(pdev);
+
++ spi_controller_get(hspi->ctlr);
++
++ spi_unregister_controller(hspi->ctlr);
++
+ pm_runtime_disable(&pdev->dev);
+
+ clk_put(hspi->clk);
++
++ spi_controller_put(hspi->ctlr);
+ }
+
+ static const struct of_device_id hspi_of_match[] = {
--- /dev/null
+From 123d17dbc5f07059752fa5e616385ca29a8f935a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:46 +0200
+Subject: spi: sprd: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 123d17dbc5f07059752fa5e616385ca29a8f935a upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Note that the controller is suspended before disabling and releasing
+resources since commit de082d866cce ("spi: sprd: Add the SPI irq
+function for the SPI DMA mode") which avoids issues like unclocked
+accesses but prevents SPI device drivers from doing I/O during
+deregistration.
+
+Fixes: e7d973a31c24 ("spi: sprd: Add SPI driver for Spreadtrum SC9860")
+Cc: stable@vger.kernel.org # 4.20
+Cc: Lanqing Liu <lanqing.liu@spreadtrum.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-17-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sprd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-sprd.c
++++ b/drivers/spi/spi-sprd.c
+@@ -978,7 +978,7 @@ static int sprd_spi_probe(struct platfor
+ goto err_rpm_put;
+ }
+
+- ret = devm_spi_register_controller(&pdev->dev, sctlr);
++ ret = spi_register_controller(sctlr);
+ if (ret)
+ goto err_rpm_put;
+
+@@ -1010,7 +1010,9 @@ static void sprd_spi_remove(struct platf
+ if (ret < 0)
+ dev_err(ss->dev, "failed to resume SPI controller\n");
+
+- spi_controller_suspend(sctlr);
++ spi_controller_get(sctlr);
++
++ spi_unregister_controller(sctlr);
+
+ if (ret >= 0) {
+ if (ss->dma.enable)
+@@ -1019,6 +1021,8 @@ static void sprd_spi_remove(struct platf
+ }
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
++
++ spi_controller_put(sctlr);
+ }
+
+ static int __maybe_unused sprd_spi_runtime_suspend(struct device *dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
